f6473c5b7493894531ccaea474c84fa533a08d6e95bafd0572d369cba6a2d40e

Analysis

max time kernel
94s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 20:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f0979d545a246b66928e09155af6bf57_JaffaCakes118.exe
Size

240KB
MD5

f0979d545a246b66928e09155af6bf57
SHA1

6e82dbb7ca867780b039f80f6f5e29cc878ebf33
SHA256

f6473c5b7493894531ccaea474c84fa533a08d6e95bafd0572d369cba6a2d40e
SHA512

368dce2eb19b279c70b72e8c87883ee565b8ac8705b4a9ff4b968a3a0933c20ae4ed0bea381c454104e6074fd5f7ef2368fad69277d6cf0c3146cb112d9299af
SSDEEP

6144:wayMeM8JKY+zEHLY8b6lXHaTI9nJa6IVU44M:wayMehJLMEHLf6lXHaTIF0PVU4n

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	f0979d545a246b66928e09155af6bf57_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2588	f0979d545a246b66928e09155af6bf57_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0979d545a246b66928e09155af6bf57_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 1892	2588	f0979d545a246b66928e09155af6bf57_JaffaCakes118.exe	82
PID 2588 wrote to memory of 1892	2588	f0979d545a246b66928e09155af6bf57_JaffaCakes118.exe	82
PID 2588 wrote to memory of 1892	2588	f0979d545a246b66928e09155af6bf57_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\f0979d545a246b66928e09155af6bf57_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f0979d545a246b66928e09155af6bf57_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Local\Temp\ed0bc468-ad3c-4e58-a452-d60c15889ffd\start.hta
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ed0bc468-ad3c-4e58-a452-d60c15889ffd\helper.dll

Filesize
129KB

MD5
422ecb37db64ebe7c2a4e8814c8258a1

SHA1
99481cb778adf49ed00408e44d4e98c8fe0ff52e

SHA256
b4cad09844154c00bc126dc05b67a0e18ffe2b96e1dd3a3a1841efeb68303eae

SHA512
b9ee987304d0cc53eb4512db082586e9e9cf5b38a3d174db7eb7b25c0a8a385c6d30645d2432b13e30eec4c415e5617bbb7e93756da465ef1633d6257d582e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed0bc468-ad3c-4e58-a452-d60c15889ffd\loader.gif

Filesize
1KB

MD5
e88ebd85dd56110ac6ea93fe0922988e

SHA1
684a31d864d33ff736234c41ac4e8d2c7f90d5ae

SHA256
379d1b0948f8e06366e7bcd197c848c0cc783787792f2224f98c16b974d920eb

SHA512
211b0760c9a887fc13c479617daeb6d5b6ee0ccd06c214967abd3e1f14204f72e34a6dd5eb778a9fc6ac7fc8bd63bdef80b347abab97becda16924cb3e164dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed0bc468-ad3c-4e58-a452-d60c15889ffd\start.hta

Filesize
1KB

MD5
1e0053dfeeecf4c16284d6dad4fd86f4

SHA1
fe4ca30de707e1f77e5e258f62007f82633b6773

SHA256
e2d32f98e234880b02f55506b75e13ec992ed53f39c35c19bef070b081eea3bb

SHA512
5fb547735e5516f95ecb68bc5f862c7af963fe415a3aee9f2e4671473d1dbe36c65e2e2760900b96a81f5d27cb49b6f68c2f10d310ede93963ad78eea691e76b

Download Submit